Understanding network traffic through Intraflow data
Size: px
Start display at page:

Download "Understanding network traffic through Intraflow data"

Transcription

1 Understanding network traffic through Intraflow data David McGrew and Blake Anderson FloCon 2016

2 Exploring threat data features at scale pcap pcap2flow json Offline joy pcap2flow json Online exporter collecto r json

3 Flow Monitoring srcip, dstip, srcport, dstport, prot, starttime, stoptime, numbytes, numpackets Observation Export Collection Analysis Storage Observation Observation

4 I need to understand traffic even when it is encrypted I need to understand all the traffic in my network, not just traffic that passes through a security appliance Known threats and malware Evasive applications and tunnels TLS, SSH, and other encrypted traffic (on any port) Monitoring internal traffic Forensics Crypto usage audit

5 Flow Monitoring srcip, dstip, srcport, dstport, prot, starttime, stoptime, numbytes, numpackets Observation Export Collection Analysis Storage Observation Observation New Data Features

6 Intraflow data Information about events or data inside of flows that can be conveniently collected, stored, and analyzed within a flow monitoring framework

7 Intraflow data Economical observation Unidirectional Minimal computation Small snaplen Application/protocol independence Compactness Observation Transmission and storage Composability

8 Architecture Flow Records Classifier

9 Training architecture Malware Detonation Malware Records Training Classifier Benign Records

10 New Telemetry Data Features Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

11 Enhanced Telemetry Data Types SPLT Sequence of Packet Lengths and Arrival Times src dst Byte Distribution Relative frequency for each byte in a flow Byte Entropy Initial Data Packet

12 Sequence of Packet Lengths and Times Client packets src dst Server packets Time

13 Byte Distribution H T T P / O K f 31 2e f 4b

14 Byte Distribution H T T P / O K f 31 2e f 4b 1

15 Byte Distribution H T T P / O K f 31 2e f 4b 1 1

16 Byte Distribution H T T P / O K f 31 2e f 4b 2 1

17 Byte Distribution H T T P / O K f 31 2e f 4b 1 2 1

18 Byte Distribution for different encodings

19 JSON flow data Conventional flow data Intraflow data Extracted parameters Easy to use with data analytics and machine learning tools

20 Initial Data Packet SYN SYN ACK ACK Data Data Data Data

21 Initial Data Packet SYN SYN ACK IDP ACK Data Data Data Data

22 Experimental results Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

23 Performance CPU: Intel 2.70GHz 17% utilization at 1.0e7 bytes/sec, 1.2e4 packets/sec Approx 870 Mbits/sec at full utilization RAM: 8Gbyte 2.7% utilization (216 Mbyte) Byte Distribution Everything else Flow lookup, alloc, init

24 Detecting malware with SPLT and Byte Distribution Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

25 Analytics User Interface

26 Malware Classification

27 Classifying flows as malicious/benign L1-logistic regression SPLT + 5-tuple L1-logistic regression SPLT + 5-tuple + BD

28 Classifying flows as malicious/benign L1-logistic regression SPLT + 5-tuple 160 non-zero parameters 0.01 FDR: 51.11% Total Accuracy: 98.44% L1-logistic regression SPLT + 5-tuple + BD 128 non-zero parameters 0.01 FDR: 98.92% Total Accuracy: 99.81%

29 Intraflow data Economical observation Unidirectional Minimal computation Small snaplen Application/protocol independence Compactness Observation Transmission and storage Composability SPLT 10 packets 10 bytes 10 bytes Byte Distribution No 256 bytes 256 bytes

30 Intraflow data Economical observation Unidirectional Minimal computation Small snaplen Application/protocol independence Compactness Observation Transmission and storage Composability SPLT 10 packets 10 bytes 10 bytes Byte Distribution No 256 bytes 256 bytes 16 bytes

31 Conclusions Intraflow data is feasible to implement, enables useful inferences SPLT is valuable and relatively cheap Byte Distribution is valuable but more costly Training classifiers is key Data fusion

32 Thank You Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

33 Joy applications pcap pcap2flow json Server Threat Intelligence online pcap2flow json Server Endpoint online pcap2flow json Server SPAN or TAP online pcap2flow json Raspberry Pi Home

Similar documents

Classifying Encrypted Traffic with TLSaware

Classifying Encrypted Traffic with TLSaware Classifying Encrypted Traffic with TLSaware Telemetry Blake Anderson, David McGrew, and Alison Kendler blaander@cisco.com, mcgrew@cisco.com, alkendle@cisco.com FloCon 2016 Problem Statement I need to understand

More information

Applied Advanced Network Telemetry: ETA and Beyond

Applied Advanced Network Telemetry: ETA and Beyond BRKSEC-2809 Applied Advanced Network Telemetry: ETA and Beyond TK Keanini, Principal Engineer Blake Anderson, Technical Leader Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker

More information

An Introduction to Monitoring Encrypted Network Traffic with "Joy"

An Introduction to Monitoring Encrypted Network Traffic with Joy An Introduction to Monitoring Encrypted Network Traffic with "Joy" Philip Perricone (SE) Bill Hudson (TL) Blake Anderson (TL) David McGrew (Fellow) Cisco Spark How Questions? Use Cisco Spark to communicate

More information

Encrypted Traffic Analytics

Encrypted Traffic Analytics Encrypted Traffic Analytics Introduction The rapid rise in encrypted traffic is changing the threat landscape. As more businesses become digital, a significant number of services and applications are using

More information

Configuring Encrypted Traffic Analytics

Configuring Encrypted Traffic Analytics Restrictions for Encrypted Traffic Analytics, page 1 Information about Encrypted Traffic Analytics, page 1 How to Configure Encrypted Traffic Analytics, page 2 Configuration Examples, page 4 Additional

More information

Hardware Flow Offload. What is it? Why you should matter?

Hardware Flow Offload. What is it? Why you should matter? Hardware Offload What is it? Why you should matter? Good News: Network Speed The market is moving from 10 Gbit to 40/100 Gbit At 40 Gbit frame inter-arrival time is ~16 nsec At 100 Gbit frame inter-arrival

More information

Detecting malware even when it is encrypted

Detecting malware even when it is encrypted Detecting malware even when it is encrypted Machine Learning for network HTTPS analysis František Střasák strasfra@fel.cvut.cz @FrenkyStrasak Sebastian Garcia sebastian.garcia@agents.fel.cvut.cz @eldracote

More information

Compare Security Analytics Solutions

Compare Security Analytics Solutions Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch

More information

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

Question No: 2 Which identifier is used to describe the application or process that submitted a log message? Volume: 65 Questions Question No: 1 Which definition of a fork in Linux is true? A. daemon to execute scheduled commands B. parent directory name of a file pathname C. macros for manipulating CPU sets

More information

CSc 450/550: Computer Communications and Networks (Summer 2007)

CSc 450/550: Computer Communications and Networks (Summer 2007) 1 2 3 4 5 6 CSc 450/550: Computer Communications and Networks (Summer 2007) Lab Project 3: A Simple Network Traffic Analyzer Spec Out: July 6, 2007 Demo Due: July 25, 2007 Code Due: July 27, 2007 7 8 9

More information

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption Nikos Mourtzinos, CCIE #9763 Cisco Cyber Security Sales Specialist April 2018 New

More information

Encrypted Traffic Security (ETS) White Paper

Encrypted Traffic Security (ETS) White Paper Encrypted Traffic Security (ETS) White Paper The rapid rise in encrypted traffic is changing the security landscape. As more organizations become digital, an increasing number of services and applications

More information

Hidden Figures: Securing what you cannot see

Hidden Figures: Securing what you cannot see Hidden Figures: Securing what you cannot see TK Keanini, Distinguished Engineer Stealthwatch, Advanced Threat Solutions CID-0006 Hello My Name is TK Keanini Keanini (Pronounced Kay-Ah-Nee-Nee) TK: The

More information

DevoFlow: Scaling Flow Management for High Performance Networks

DevoFlow: Scaling Flow Management for High Performance Networks DevoFlow: Scaling Flow Management for High Performance Networks SDN Seminar David Sidler 08.04.2016 1 Smart, handles everything Controller Control plane Data plane Dump, forward based on rules Existing

More information

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018 Flow Measurement For IT, Security and IoT/ICS Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018 What is Flow Data? Modern method for network monitoring flow

More information

Detecting Hidden Spam Bots (and other tales from the NetFlow front lines) Jim Meehan Director, Product Marketing

Detecting Hidden Spam Bots (and other tales from the NetFlow front lines) Jim Meehan Director, Product Marketing Detecting Hidden Spam Bots (and other tales from the NetFlow front lines) Jim Meehan Director, Product Marketing Agenda What is flow data? Legacy solutions and frustrations Modern requirements and architecture

More information

Understanding And Using Custom Queries

Understanding And Using Custom Queries Purpose This document describes how to use the full flexibility of Nagios to get the most out of your network flow data. Target Audience Network admins performing forensic analysis on a network's flow

More information

Introduction. Learning Network License Introduction

Introduction. Learning Network License Introduction The following provides an introduction to installing the Cisco Stealthwatch Learning Network License (Learning Network License) platform, installing a controller on an ESXi host, and deploying an agent

More information

Machine Learning with Python

Machine Learning with Python DEVNET-2163 Machine Learning with Python Dmitry Figol, SE WW Enterprise Sales @dmfigol Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session

More information

Demystifying Machine Learning

Demystifying Machine Learning Demystifying Machine Learning Dmitry Figol, WW Enterprise Sales Systems Engineer - Programmability @dmfigol CTHRST-1002 Agenda Machine Learning examples What is Machine Learning Types of Machine Learning

More information

Evidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L.

Evidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L. Evidence Gathering for Network Security and Forensics DFRWS EU 2017 Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L. Thing Talk outline Context and problem Objective Evidence gathering framework

More information

A hacker in a hoodie with leather gloves tapping a glowing blue lock icon on a transparent touchscreen with ones and zeroes raining down in green

A hacker in a hoodie with leather gloves tapping a glowing blue lock icon on a transparent touchscreen with ones and zeroes raining down in green A hacker in a hoodie with leather gloves tapping a glowing blue lock icon on a transparent touchscreen with ones and zeroes raining down in green onto a circuit board jason SYSTEMATIC NETWORK SECURITY

More information

How to Read Debug Output

How to Read Debug Output How to Read Debug Output Hillstone Networks Inc. 28/10/2015 1 / 16 Index 1 Preface... 3 2 Basic Debug Process... 3 3 Scenario: Traffic Flow is Disconnected... 5 3.1 Topology... 5 3.2 Case 1... 5 3.3 Case

More information

Bro-Osquery. Let Bro know about the hosts it monitors. Steffen Haas Department of Computer Science IT Security and Security Management (ISS)

Bro-Osquery. Let Bro know about the hosts it monitors. Steffen Haas Department of Computer Science IT Security and Security Management (ISS) Steffen Haas Department of Computer Science IT Security and Security Management (ISS) Bro-Osquery Bro Network Monitor https://www.bro.org Let Bro know about the hosts it monitors Osquery Host Monitor https://osquery.io/

More information

Enhanced Threat Detection, Investigation, and Response

Enhanced Threat Detection, Investigation, and Response Enhanced Threat Detection, Investigation, and Response What s new in Cisco Stealthwatch Enterprise Release 6.10.2 Cisco Stealthwatch Enterprise is a comprehensive visibility and security analytics solution

More information

Sharing is Caring: Improving Detection with Sigma

Sharing is Caring: Improving Detection with Sigma SANS Tactical Detection and Data Analytics Summit 2018 Sharing is Caring: Improving Detection with Sigma John Hubbard (@SecHubb) The Blue Team's Journey Sharing is Caring - John Hubbard @SecHubb 2 Blue

More information

Implementing Cisco Network Security (IINS) 3.0

Implementing Cisco Network Security (IINS) 3.0 Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using

More information

Detecting malware even when it is encrypted

Detecting malware even when it is encrypted Detecting malware even when it is encrypted Machine Learning for network HTTPS analysis František Střasák strasfra@fel.cvut.cz @FrenkyStrasak Sebastian Garcia sebastian.garcia@agents.fel.cvut.cz @eldracote

More information

Outline. Motivation. Our System. Conclusion

Outline. Motivation. Our System. Conclusion Outline Motivation Our System Evaluation Conclusion 1 Botnet A botnet is a collection of bots controlled by a botmaster via a command and control (C&C) channel Centralized C&C, P2P-based C&C Botnets serve

More information

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref ) Appendix 1 1st Tier Firewall The Solution shall be rack-mountable into standard 19-inch (482.6-mm) EIA rack. The firewall shall minimally support the following technologies and features: (a) Stateful inspection;

More information

Chapter 5 End-to-End Protocols

Chapter 5 End-to-End Protocols Chapter 5 End-to-End Protocols Transport layer turns the host-to-host packet delivery service of the underlying network into a process-to-process communication channel Common properties that application

More information

An Experimental Analysis on Iterative Block Ciphers and Their Effects on VoIP under Different Coding Schemes

An Experimental Analysis on Iterative Block Ciphers and Their Effects on VoIP under Different Coding Schemes An Experimental Analysis on Iterative Block Ciphers and Their Effects on VoIP under Different Coding Schemes Gregory Epiphaniou 1 Carsten Maple 1 Paul Sant 1 Matthew Reeves 2 1 Institute for Research in

More information

Languages for Software-Defined Networks

Languages for Software-Defined Networks Languages for Software-Defined Networks Nate Foster, Michael J. Freedman, Arjun Guha, Rob Harrison, Naga Praveen Katta, Christopher Monsanto, Joshua Reich, Mark Reitblatt, Jennifer Rexford, Cole Schlesinger,

More information

Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki Stealthwatch ülevaade + demo ja kasutusvõimalused Leo Lähteenmäki 09:00-9:30 Hommikukohv ja registreerimine 09:30 11:15 Stealthwatch ülevaade + demo ja kasutusvõimalused 11:00 11:15 Kohvipaus 11:15 12:00

More information

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016 Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds

More information

TurboFlow: Information Rich Flow Record Generation on Commodity Switches

TurboFlow: Information Rich Flow Record Generation on Commodity Switches Turbo: Information Rich Record Generation on Commodity Switches John Sonchack 1, Adam J. Aviv 2, Eric Keller 3, Jonathan M. Smith 1 1 University of Pennsylvania, 2 USNA, 3 University of Colorado Introduction:

More information

Data Mining for Improving Intrusion Detection

Data Mining for Improving Intrusion Detection Data Mining for Improving Intrusion Detection presented by: Dr. Eric Bloedorn Team members: Bill Hill (PI) Dr. Alan Christiansen, Dr. Clem Skorupka, Dr. Lisa Talbot, Jonathan Tivel 12/6/00 Overview Background

More information

GTRC Hosting Infrastructure Reports

GTRC Hosting Infrastructure Reports GTRC Hosting Infrastructure Reports GTRC 2012 1. Description - The Georgia Institute of Technology has provided a data hosting infrastructure to support the PREDICT project for the data sets it provides.

More information

Deep Learning for Malicious Flow Detection

Deep Learning for Malicious Flow Detection Deep Learning for Malicious Flow Detection Yun-Chun Chen 1 Yu-Jhe Li 1 Aragorn Tseng 1 Tsungnan Lin 1,2 1: National Taiwan University 2: Institute for Information Industry Yun-Chun Chen (NTUEE) Deep Learning

More information

Network Security Monitoring with Flow Data

Network Security Monitoring with Flow Data Network Security Monitoring with Flow Data IT Monitoring in Enterprises NPMD (Network Performance Monitoring & Diagnostics) SNMP basics Flow data for advanced analysis and troubleshooting Packet capture

More information

Tunnel within a network

Tunnel within a network VPN Tunnels David Morgan Tunnel within a network B C E G H I A D F - Packet stream of protocol X - Packet stream of protocol Y - Packet stream: X over Y or X tunneled in/through Y 1 Packet encapsulation

More information

Using Flexible NetFlow Top N Talkers to Analyze Network Traffic

Using Flexible NetFlow Top N Talkers to Analyze Network Traffic Using Flexible NetFlow Top N Talkers to Analyze Network Traffic Last Updated: September 4, 2012 This document contains information about and instructions for using the Flexible NetFlow--Top N Talkers Support

More information

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Introduction Security has an increased focus from ALL businesses, whether they

More information

Communicating the results of pcap data analysis through common metadata format

Communicating the results of pcap data analysis through common metadata format Communicating the results of pcap data analysis through common metadata format Youki Kadobayashi NICT (National Inst of Comm Tech) / NAIST (Nara Inst of Sci & Tech) / WIDE youki-k is.naist.jp 1 Anomaly

More information

Off-Path TCP Exploits : Global Rate Limit Considered Dangerous

Off-Path TCP Exploits : Global Rate Limit Considered Dangerous Off-Path TCP Exploits : Global Rate Limit Considered Dangerous Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V. Krishnamurthy, University of California, Riverside; Lisa M. Marvel, United

More information

Mapping of Address and Port Using Translation

Mapping of Address and Port Using Translation The feature provides connectivity to IPv4 hosts across IPv6 domains. Mapping of address and port using translation (MAP-T) is a mechanism that performs double translation (IPv4 to IPv6 and vice versa)

More information

Subscriber Data Correlation

Subscriber Data Correlation Subscriber Data Correlation Application of Cisco Stealthwatch to Service Provider mobility environment Introduction With the prevalence of smart mobile devices and the increase of application usage, Service

More information

Encrypted Traffic Analytics Deployment Guide

Encrypted Traffic Analytics Deployment Guide Cisco Validated design Encrypted Traffic Analytics Deployment Guide December 2017 Table of Contents Table of Contents Introduction... 1 Design Overview... 2 Components at a Glance...6 Use Cases... 10 Crypto

More information

Quality of Service for VPNs

Quality of Service for VPNs The QoS for VPNs feature provides a solution for making Cisco IOS QoS services operate in conjunction with tunneling and encryption on an interface. Cisco IOS software can classify packets and apply the

More information

Network Control, Con t

Network Control, Con t Network Control, Con t CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/

More information

Queue Overflow. Dropping Packets. Tail Drop. Queues will always sometimes overflow. But Cause more variation in delay (jitter)

Queue Overflow. Dropping Packets. Tail Drop. Queues will always sometimes overflow. But Cause more variation in delay (jitter) Queue Overflow Queues will always sometimes overflow Can reduce chances by allocating more queue memory But Cause more variation in delay (jitter) So Often want only short queues Just enough to cope with

More information

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks Monitoring and diagnostics of data infrastructure problems in power engineering Jaroslav Stusak, Sales Director CEE, Flowmon Networks 35,000 kilometers of electric power, which feeds around 740,000 clients...

More information

ARIA SDS. Application

ARIA SDS. Application ARIA SDS Packet Intelligence Application CSPi s ARIA SDS Packet Intelligence (PI) application enhances an organization s existing network security capabilities by enabling the monitoring of all network

More information

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics Solution Overview Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics BENEFITS Gain visibility across all network conversations, including east-west and north-south

More information

Intel 10Gbe status and other thoughts. Linux IPsec Workshop Shannon Nelson Oracle Corp March 2018

Intel 10Gbe status and other thoughts. Linux IPsec Workshop Shannon Nelson Oracle Corp March 2018 Intel 10Gbe status and other thoughts Linux IPsec Workshop 2018 Shannon Nelson Oracle Corp March 2018 2 Summary 10Gbe Niantic and family have IPsec HW offload Initial driver support came out in v4.15 Approx

More information

CNIT 121: Computer Forensics. 9 Network Evidence

CNIT 121: Computer Forensics. 9 Network Evidence CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require

More information

Concept: Traffic Flow. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig

Concept: Traffic Flow. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig Concept: Traffic Flow Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig 1 Passive measurement capabilities: Packet monitors Available data: All protocol information All content Possible analysis: Application

More information

The case for ubiquitous transport-level encryption

The case for ubiquitous transport-level encryption 1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazières, and Dan Boneh Stanford and UCL November 18, 2010 Goals 2/25 What would it take to encrypt

More information

Studying the Security in VoIP Networks

Studying the Security in VoIP Networks Abstract Studying the Security in VoIP Networks A.Alseqyani, I.Mkwawa and L.Sun Centre for Security, Communications and Network Research, Plymouth University, Plymouth, UK e-mail: info@cscan.org Voice

More information

Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM

Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM How to implement the Cisco Stealthwatch Endpoint License with the Cisco AnyConnect Network Visibility Module Table of Contents About This Document...

More information

User Role Firewall Policy

User Role Firewall Policy User Role Firewall Policy An SRX Series device can act as an Infranet Enforcer in a UAC network where it acts as a Layer 3 enforcement point, controlling access by using IP-based policies pushed down from

More information

Monitoring and Analysis

Monitoring and Analysis CHAPTER 3 Cisco Prime Network Analysis Module 5.1 has two types of dashboards: One type is the summary views found under the Monitor menu, and the other type is the over time views found under the Analyze

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking

More information

Integration Debugging Information

Integration Debugging Information APPENDIXC June 18, 2013, Debugging Information for Cisco Adaptive Security Appliance, page C-1 Debugging Access Edge and OCS Server, page C-5 Debugging Information for Cisco Adaptive Security Appliance

More information

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer 10 January 2017 FloCon 2017 San Diego, CA Netflow Collection and Analysis at a Tier 1 Internet Peering Point Fred Stringer AT&T Chief Security Organization Systems Engineer/Network Architect AT&T Intellectual

More information

Contents. Introduction. Prerequisites. Background Information

Contents. Introduction. Prerequisites. Background Information Contents Introduction Prerequisites Background Information Limitation Configure Network Diagram Initial configuration R2 R3 IPSec configuration R2 EzPM configuration Workaround Verify Troubleshooting Related

More information

TECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE

TECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE TECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE REVISION HISTORY Revised By Date Changes Dennis Boas Aug 2016 Version 1 initial release 1344 CROSSMAN AVE SUNNYVALE, CA 94089 1.866.55.ARUBA T: 1.408.227.4500

More information

ASA 8.x/ASDM 6.x: Add New VPN Peer Information in an Existing Site-to-Site VPN using ASDM

ASA 8.x/ASDM 6.x: Add New VPN Peer Information in an Existing Site-to-Site VPN using ASDM ASA 8.x/ASDM 6.x: Add New VPN Peer Information in an Existing Site-to-Site VPN using ASDM Contents Introduction Prerequisites Requirements Components Used Conventions Backround information ASDM Configuration

More information

Flexible NetFlow - Top N Talkers Support

Flexible NetFlow - Top N Talkers Support This document contains information about and instructions for using the Flexible NetFlow - Top N Talkers Support feature. The feature helps you analyze the large amount of data that Flexible NetFlow captures

More information

Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter CHAPTER 46 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary

More information

Network Tools. Contents. Saurabh Barjatiya Mon. 1 Port scanning (nmap) 2

Network Tools. Contents. Saurabh Barjatiya Mon. 1 Port scanning (nmap) 2 Network Tools Saurabh Barjatiya 2012-03-19 Mon Contents 1 Port scanning (nmap) 2 2 Capturing packets at command line (tcpdump) 3 2.1 About tcpdump.......................... 3 2.2 Useful command line options..................

More information

CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes

CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes Martin Rehak, Pavel Celeda, Michal Pechoucek, Jiri Novotny CESNET, z. s. p. o. Gerstner Laboratory

More information

Stonesoft Next Generation Firewall. Release Notes Revision C

Stonesoft Next Generation Firewall. Release Notes Revision C Stonesoft Next Generation Firewall Release Notes 5.10.4 Revision C Table of contents 1 About this release...3 System requirements... 3 Build version...6 Compatibility...7 2 New features...8 3 Enhancements...

More information

Lab 3: Packet Capture (IDS and ARP Detection)

Lab 3: Packet Capture (IDS and ARP Detection) Lab 3: Packet Capture (IDS and ARP Detection) Details Aim: To provide an understanding of building a basic Intrusion Detection System (IDS) using C# and WinPCap. Overview This tutorial shows how it is

More information

Impact of Sampling on Anomaly Detection

Impact of Sampling on Anomaly Detection Impact of Sampling on Anomaly Detection DIMACS/DyDan Workshop on Internet Tomography Chen-Nee Chuah Robust & Ubiquitous Networking (RUBINET) Lab http://www.ece.ucdavis.edu/rubinet Electrical & Computer

More information

CS 356: Computer Network Architectures. Lecture 17: End-to-end Protocols and Lab 3 Chapter 5.1, 5.2. Xiaowei Yang

CS 356: Computer Network Architectures. Lecture 17: End-to-end Protocols and Lab 3 Chapter 5.1, 5.2. Xiaowei Yang CS 356: Computer Network Architectures Lecture 17: End-to-end Protocols and Lab 3 Chapter 5.1, 5.2 Xiaowei Yang xwy@cs.duke.edu Transport protocols Before: How to deliver packet from one host to another

More information

EE 122: Transport Protocols: UDP and TCP

EE 122: Transport Protocols: UDP and TCP EE 122: Transport Protocols: and provides a weak, but efficient service model (best-effort) - Packets can be delayed, dropped, reordered, duplicated - Packets have limited size (why?) packets are addressed

More information

Competitive Analysis. Version 1.0. February 2017

Competitive Analysis. Version 1.0. February 2017 Competitive Analysis Version 1.0 February 2017 WWW.SOLIDASYSTEMS.COM Introduction This document discusses competitive advantages between Systems security appliances and other security solutions in the

More information

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter,

More information

Mininet & OpenFlow 19/05/2017

Mininet & OpenFlow 19/05/2017 Mininet & OpenFlow 19/05/2017 Setup 1: Mininet-based Single Switch sudo mn --topo single,3 --switch ovsk --controller remote c0 Controller port6633 virtual switch loopback (127.0.0.1:6633) s1 OpenFlow

More information

Cisco Advanced Malware Protection (AMP) for Endpoints

Cisco Advanced Malware Protection (AMP) for Endpoints Cisco Advanced Malware Protection (AMP) for Endpoints Endpoints continue to be the primary point of entry for attacks! 70% of breaches start on endpoint devices WHY? Gaps in protection Gaps in visibility

More information

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0 Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Comments and errata should be directed to: cyber- tm@cisco.com Introduction One of the most common network

More information

Using traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry

Using traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry Using traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry Gilles Roudière 1 (PhD student) Philippe Owezarski 1, François Devienne 2 (Supervisors) 1, {gilles.roudiere,

More information

Denial-of-Service (DoS), continued

Denial-of-Service (DoS), continued Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016 Transport-Level Denial-of-Service Recall TCP s 3-way connection establishment handshake Goal: agree on initial

More information

Understanding Cisco Cybersecurity Fundamentals

Understanding Cisco Cybersecurity Fundamentals 210-250 Understanding Cisco Cybersecurity Fundamentals NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-250 Exam on Understanding Cisco

More information

SUPC: SDN enabled Universal Policy Checking in Cloud Network

SUPC: SDN enabled Universal Policy Checking in Cloud Network SUPC: SDN enabled Universal Policy Checking in Cloud Network Ankur Chowdhary, Adel Alshamrani, and Dijiang Huang Arizona State University {achaud16, aalsham4, dijiang}@asu.edu arxiv:1811.00657v1 [cs.cr]

More information

This release of the product includes these new features that have been added since NGFW 5.5.

This release of the product includes these new features that have been added since NGFW 5.5. Release Notes Revision B McAfee Next Generation Firewall 5.7.4 Contents About this release New features Enhancements Known limitations Resolved issues System requirements Installation instructions Upgrade

More information

Predictive Analytics using Teradata Aster Scoring SDK

Predictive Analytics using Teradata Aster Scoring SDK Predictive Analytics using Teradata Aster Scoring SDK Faraz Ahmad Software Engineer, Teradata #TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER At Teradata, we believe. Analytics and data unleash the potential

More information

Characterization of ESnet LAN traffic at LBNL and the Comparison Between TCPDUMP Collection and NetFlow Sampling.

Characterization of ESnet LAN traffic at LBNL and the Comparison Between TCPDUMP Collection and NetFlow Sampling. Characterization of ESnet LAN traffic at LBNL and the Comparison Between TCPDUMP Collection and NetFlow Sampling. Esnet Measurements Team measurements@es.net Mike Collins - Author Chin Guok - Measurement

More information

We re Gonna Need a Bigger Boat

We re Gonna Need a Bigger Boat SESSION ID: CSV-F01 We re Gonna Need a Bigger Boat Alan Ross Senior Principal Engineer Intel Corporation Grant Babb Research Scientist Intel Corporation IT Analytics: All about the changing Enterprise

More information

McAfee Next Generation Firewall (Stonesoft)

McAfee Next Generation Firewall (Stonesoft) McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: McAfee Next Generation Firewall (Stonesoft) September 2, 2014 McAfee NGFW Page 1 of 7 Important Note: The information contained

More information

Network Security Platform 8.1

Network Security Platform 8.1 8.1.3.6-8.1.3.5 M-series Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation

More information

Implementing Cisco Cybersecurity Operations

Implementing Cisco Cybersecurity Operations 210-255 Implementing Cisco Cybersecurity Operations NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-255 Exam on Implementing Cisco

More information

The IDP system generates logs for device events and security events. Table 1 summarizes options for viewing and managing logs.

The IDP system generates logs for device events and security events. Table 1 summarizes options for viewing and managing logs. IDP Logs Overview The IDP system generates logs for device events and security events. Device event logs are related to the operation of the IDP appliance. By default, the system logs events when it reaches

More information

Cisco Tetration Analytics

Cisco Tetration Analytics Cisco Tetration Analytics Real-time application visibility and policy management using advanced analytics Yogesh Kaushik, Sr. Director Product Management PSOACI-2100 Agenda Market context Introduction:

More information

Research on adaptive network theft Trojan detection model Ting Wu

Research on adaptive network theft Trojan detection model Ting Wu International Conference on Advances in Mechanical Engineering and Industrial Informatics (AMEII 215) Research on adaptive network theft Trojan detection model Ting Wu Guangdong Teachers College of Foreign

More information

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097 Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils

More information

Troubleshooting High CPU Utilization Due to the IP Input Process

Troubleshooting High CPU Utilization Due to the IP Input Process Troubleshooting High CPU Utilization Due to the IP Input Process Document ID: 41160 Contents Introduction Prerequisites Requirements Components Used Conventions IP Input Sample IP Packet Debugging Session

More information

2

2 1 2 3 4 5 6 libpcap: h0p://www.tcpdump.org/ 7 Some discussion quesaons to make sure that students are all at a reasonable level: 1. What are some examples of protocols at each layer? 1. FDDI, token ring,

More information

Security Monitoring with Stealthwatch:

Security Monitoring with Stealthwatch: Security Monitoring with Stealthwatch: The Detailed Walkthrough Matthew Robertson, Technical Marketing Engineer BRKSEC-3014 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback